QSA stands for Qualified Security Assessor, and they are certified by the PCI Security Standards Council. QSAs are tasked with providing guidance and validation to the DSS. QSAs are special in that they have been certified for their knowledge and ability to advise on the PCI DSS specifically. There are roughly 800 QSA individuals in North America and their function is to assist merchants and service providers in getting PCI compliant and validating that compliance.
How do you become a QSA? In order to be certified by the PCI Council, you need to have a CISSP certification and/or 5 years of experience in information security, complete the official QSA training as well as pass a certification exam. QSA’s must also be employed by a QSA company which is authorized by the PCI Council, maintain their skills with a minimum of 40 hours per year of continuing education, and receive positive feedback from clients and the card brands.
What a QSA isn’t… A QSA is not law enforcement, nor is a QSA looking to report someone for non-compliance. Your QSA is there to support your efforts to become compliant, help protect your sensitive data, educate you on best practices and changes in the standard, as well as to provide an understanding of the intent of the standard. That’s why it is very important to be open & honest with your QSA, they’re the one that can help! If you have questions regarding PCI compliance or would like to consult with a QSA, give us a call here at HALOCK Security Labs.